Issue #25 | September, 2024
The hidden world
NPR's Planet Money recently published an episode about "The hidden world behind your new 'banking' app" that looks at the complicated web of services and relationships that make certain fintech products possible, all the while avoiding the regulatory scrutiny that regular banks must go through. It mentions the issues with Yotta that left customers without access to their funds.
Now, this could be somewhat out of reach for those who aren't in the financial sector, so let's look a bit closer to home. What about the hidden world behind IT? What lies beyond every single click, how many pieces of software, and how many devices must work correctly for each packet to get to its destination and receive a response?
As we've seen numerous times by now, this "hidden world" of vendors and interconnected applications has a surface – or an attack surface, at least. Attackers are getting very good at finding ways to exploit this, and it's important that this "world" doesn't stay hidden from us. To make it secure, we need to be able to see it.
This edition brings you updates on CrowdStrike and Microsoft, as well as our usual breaches round-up. Make sure you don't skip the section dedicated to regulators, as CISA has a very interesting new guidance for "Secure by Demand." Also, don't miss the guidance articles we have compiled for you.
By the way, we also have an important invite for you: if you work in third-party cyber risk management, make sure to sign up to our yearly event - Tenchi Conference 2024, happening on November 6 in S?o Paulo; this will be a fantastic opportunity to hear from some of the absolute best in the Industry nowadays, as well as a great chance to socialize with peers; here's the link for the pre-subscription:?
Enjoy!?
CrowdStrike incident aftermath:?company takes a revenue hit, will testify before Congress
After an issue caused its Falcon Sensor to crash and then prevented 8.5 million systems from booting, CrowdStrike says it expects an impact of $60 million to its net annual recurring revenue and subscription revenue. Company executives remain optimistic:
CrowdStrike expects an impact of about $60 million in net new annual recurring revenue and subscription revenue due to what it dubbed its “customer commitment packages,” discounts it’s offering some customers through the second half of this year, CFO Burt Podbere said during the Wednesday earnings call for the company’s fiscal 2025 second quarter, which ended July 31. “When we get to the back half of next year, we’ll start to see an acceleration in the business.” […]
Despite the temporary financial impact, CEO George Kurtz disputed competitors’ claims of customer defections in the wake of CrowdStrike’s error.
That last bit regarding customer defections has been observed and disclosed by companies like Palo Alto Networks and SentinelOne. All of them may be correct: businesses could be considering a diversification strategy to reduce the number of endpoints protected by CrowdStrike but aren't planning to abandon their solutions entirely.
Diversified ecosystems can be more resilient to attacks. As intruders move laterally to other corporate systems, they will suddenly face a completely different line of defense, increasing the chance they will get caught by any of the defenses present. On the other hand, using multiple vendors also means managing multiple contracts and systems — an additional burden on IT, procurement, and even legal teams. Hopefully, companies that are looking into this will find the right balance. Dan Geer, the authoritative source on these matters, has spoken.
Even those who want to fully switch away from CrowdStrike probably can't do that so quickly. As The Register explains, CrowdStrike's offerings are based on several "modules," and many customers use more than one of them. Replacing everything at once might just not be feasible. However, once businesses do start to switch, momentum can build quickly. Time will tell if CrowdStrike's optimism is warranted.
Revenue loss isn't the only issue for CrowdStrike, though: the company is facing a class-action lawsuit from investors. That's in addition to the legal threats from Delta we mentioned last month (the airline is in turn being sued by passengers).
Finally, a senior CrowdStrike executive is expected to appear before the House Homeland Security Committee on September 24. It's unlikely that any new information will surface by that point — especially since the company now has reasons to avoid providing any sort of ammunition that could be used against it in court. Still, even more of the same could become a political weapon depending on how the issue will be framed in the House.
Windows Endpoint Security summit, Azure DDoS attack: Microsoft news?
As we mentioned last month (see here if you missed it), security products on Windows often use kernel drivers to gain access levels that are off-limits to most applications. Drivers require a special digital signature from Microsoft, but Microsoft currently can't refuse to sign these drivers due to an antitrust agreement, as the company is a direct competitor to many security vendors and could have an unfair advantage otherwise.
After the CrowdStrike incident, the German Federal Office for Information Security (BSI) is asking Microsoft to change this and wants to find a way to satisfy antitrust regulators (the Wall Street Journal's coverage is paywalled, but this analysis from GovInfoSecurity mentions some of the WSJ's reporting).
Microsoft seems to agree. The company announced a "Windows Endpoint Security Ecosystem Summit":
The CrowdStrike outage in July 2024 presents important lessons for us to apply as an ecosystem. Our discussions will focus on improving security and safe deployment practices, designing systems for resiliency and working together as a thriving community of partners to best serve customers now, and in the future.
It is expected that the Windows Endpoint Security Ecosystem Summit will lead to next steps in both short- and long-term actions and initiatives to pursue, with improved security and resilience as our collective goal. We will share further updates on these conversations following the event.
Despite the very apparent effects of the CrowdStrike error and the Windows “blue screens of death” it caused, the Summit is expected to be held behind closed doors. It won't be live-streamed and there will be no press. The company promised that its Defender team will attend like any other security company and won't receive preferential treatment.
In other Microsoft news, the company had to fend off a distributed denial-of-service (DDoS) attack against its Azure cloud infrastructure. However, an error caused an outage that lasted 8 hours. Christoph Ebeling weighed in by pointing out that, while the way Azure was built could be making it less resilient than competitors, it's far more resilient than the infrastructure used by most companies and governments, and it would be a mistake to look at such events as an issue exclusive to the cloud. The incident timeline is available from Azure's status page.
The Cybersecurity and Infrastructure Security Agency (CISA) has said that Microsoft's commitment to expand access to event logs from its services is helping organizations to detect threats, according to Cybersecurity Dive. It appears that CISA believes that its efforts to pressure Microsoft into providing these logs at no additional cost have paid off.
And our last Microsoft story here is about Recall. The "feature" (in quotes here as it seems that is still under debate) is expected to make a comeback in October. The company has also confirmed that, while Recall can be disabled, users won't have the option to uninstall it from the "Windows features" panel.
National Public Data, Toyota: breaches round-up
National Public Data, a company that provides data and services for background checks, has suffered a data breach. Being a data aggregator, the leak is believed to have almost three billion records and millions of Social Security Numbers (SSNs).
In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer. […] “The information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).”?
Don't be confused by the name, as the company doesn't have anything to do with the government and is actually named Jerico Pictures, Inc. The company is already facing class-action lawsuits and, and the incident has a dedicated Wikipedia page. Additional coverage is available from Brian Krebs.
After a leak was posted to a hacking forum, car maker Toyota confirmed that a data breach happened at a "third-party," but wasn't very clear on the company's relationship with this entity. In a statement to Bleeping Computer, the company said that "it's engaged with those who are impacted," suggesting that the data is in some way related to the company.
A technical report from Lumen explains how Chinese hackers from Volt Typhoon exploited a zero-day vulnerability in Versa Director to target American ISPs in a way that could also compromise downstream (i.e., customer) infrastructure. We've reported on Volt Typhoon previously due to them being known to target critical government and public utility infrastructure.
TechCrunch covers the story of an attack that took down Mobile Guardian, a provider of educational device management software, and remotely wiped students' devices. A student had raised concerns weeks before the incident about a security bug, although it is unclear if the perpetrator exploited the same bug the student found.
Security researcher Jeremiah Fowler found an exposed database from Service Bridge containing 31.5 million records. It's unknown whether anyone downloaded this data, however, so it's still possible that a breach has been avoided.
Software vendor Young Consulting is notifying 954,177 individuals that their data has leaked after the company was hit by the BlackSuit ransomware. Another incident at the Oregon Zoo leaked credit card data from over 110,000 individuals after the third-party operator of the zoo's ticketing system was breached.
While we're still on the topic of leaks, content from Netflix has been showing up online before being made available on the service. It appears some of the content may have been leaked by a dubbing company, Iyuno, that was hired by Netflix. Iyuno published a statement regarding "unauthorized access to confidential content."
In India, nearly 300 banks suffered outages due to a cyberattack against C-Edge Technologies, a technology service provider. Juniper Networks has a technical write-up on how the attack went down. The Reserve Bank of India is taking steps to mitigate third-party risks to India's financial system.
Lastly, Halliburton revealed it has been hit by a cyberattack. So far, the incident seems to have been contained, meaning there won't be a repeat of the Colonial Pipeline.
领英推荐
CISA Releases Secure by Demand
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a guidance document titled Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem:?
An organization’s acquisition staff often has a general understanding of the core cybersecurity requirements for a particular technology acquisition. However, they frequently don’t assess whether a given supplier has practices and policies in place to ensure that security is a core consideration from the earliest stages of the product development lifecycle.
The guide is available as a web page (also PDF). It's structured as a list of questions that companies can ask software companies regarding their development practices and security roadmap. The agency explains that validating a vendor's enterprise security practices is not enough to make sure that the product delivered is also secure. Additional coverage is available from The Cyber Express.
Meanwhile, CISA director Jen Easterly told attendees at the Black Hat security conference that cybersecurity is a software quality problem, and that security vendors are often trying to mitigate vulnerabilities that technology vendors have allowed to take shape. She has once again endorsed a "software liability regime" imposed by law.
In another move by the US government, the Department of Defense is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to include contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0. In brief, this outlines the contractual clauses that would enforce the CMMC on vendors. The DoD is seeking comment on the changes until October 15 (Source from the Federal Register).
DoD security requirements are also at the core of a lawsuit against the Georgia Institute of Technology and Georgia Tech Research Corporation. According to the government, the institute failed to comply with the requirement to install anti-virus software and submitted a false cybersecurity assessment score. Coverage from CyberScoop has some more background on the case, as well as Georgia Tech's statements (they will dispute the charges).
In the Senate, a bill that would enforce mandatory vulnerability disclosure on federal contractors is moving forward. Since a similar bill is getting traction in the House, it's becoming more likely that a vulnerability disclosure policy will eventually take shape.
Now, some headlines from the United Kingdom. The country's Digital Catapult (which in turn is funded by Innovate UK and the Department for Science, Innovation and Technology) is launching a program to tackle three supply chain challenges – two of which are related to cybersecurity (cybersecurity and data governance).
The UK's Information Commissioner's Office (ICO) seems to be doing its part on this matter, as it fined NHS vendor Advanced £6 million for a security incident from 2022. We covered this incident in the very first edition of Alice in Supply Chains – and we've just completed our second year, so that's how long this took. Perhaps unsurprisingly, the ICO found that the intruders used an account that did not have MFA.
We shall see if Microsoft will face a similar penalty, since it appears that British government emails were leaked to Russian hackers when they breached Microsoft systems earlier this year. The messages had been shared with Microsoft before the breach, so no government infrastructure or email accounts were compromised.
Guidance: top ways to assess and address third-party cybersecurity risk
Forbes published a compilation of tips from several exports with guidance on third-party risk management. It's worth a read – here is the very first one, echoing some of the views we've been sharing in this newsletter:
Implement a tiered risk assessment framework that categorizes vendors based on their access to sensitive data and potential impact on operations. Conduct tailored security assessments for each risk level, and automate continuous monitoring and real-time threat detection.
We have several articles with guidance this time. "Managing third-party cybersecurity risks in the supply chain" from Tesserent also brings up an idea that readers of this newsletter will be familiar with: the need to see your third parties as allies and "help them uplift their cybersecurity posture."
"Cyber Supply Chain Security and Third-Party Risk Management" at BankInfoSecurity looks at the intersection between supply chain risk management (SCRM) and third/fourth-party risk management. "Optimizing third-party risk" at the ABA Journal reminds us that we should have a good operating model and avoid fractured processes or "silos," as TPCRM efforts will likely fall short of expectations in those scenarios. The Federal Reserve Bank of Atlanta also published an article that reminds banks of their responsibilities on this matter.
Law firm Dentons published an article with guidance tailored for vendor contracts involving AI. It reminds businesses that due diligence is required for both the vendor and the AI model, so businesses should seek to know how the AI model was trained on top of making sure that cybersecurity requirements are part of the contract.
"Supply Chain - The Achilles Heel of Cybersecurity" at HackerNoon builds on this idea and discusses both the potential benefits of employing AI in cybersecurity as well as the new set of challenges introduced by it.?
Finally, the American Hospital Association published an article stating that "third-party cyber risk impacts the health care sector the most." The article briefly describes four strategies for mitigating third-party risk, so it's better for those who need a starting point.
One in five businesses impacted by hardware supply chain attacks
HP released a study that shows how the security of computing devices and other hardware affects overall corporate security:
Almost one-in-five (19%) organizations surveyed say they have been impacted by nation-state threat actors targeting physical PC, laptop, or printer supply chains. In the US, this figure rises to 29%.
Over a third (35%) of organizations surveyed believe that they or others they know have already been impacted by nation-state threat actors targeting supply chains to try and insert malicious hardware or firmware into devices.
We happen to be able to cite an example that was disclosed days after the study, as researchers found a hardware backdoor on contactless cards used to secure hotels and offices.
Now, going back to software, a survey carried out by Onymos found that "45% of tech leaders report that they have experienced a cybersecurity incident through a third-party SaaS solution in the past year." (PDF)
Cybersecurity company Resilience has made available its Midyear 2024 Cyber Risk Report. It claims that "around 40% of all cyber insurance claims filed this year were caused by a failure at a third-party vendor," and that "increasing M&A and reliance on ubiquitous software vendors created new opportunities for threat actors to unleash widespread ransomware campaigns by exploiting a single point of failure."
Another study from Escode and CeFPro found that not many businesses have "exit plans" for their third-party agreements for instances where the vendor fails or becomes insolvent (a "stressed exit"). According to this survey, only a fifth of the respondents said they had stressed exit plans on at least 76% of their contracts, and almost half said such plans only exist for 0-10% of vendor agreements.?
GuyCarpenter published a short essay that cites several AI-related studies to argue that AI is a "driver of cyber aggregation risk." The authors show how AI can be a risk to companies as an attack surface (through jailbreak, for example), as software (due to issues in the software supply chain) and through the data it needs to function (either due to leaks during training or operation).
Finally, a study from Cyble based on dark web monitoring found that criminals have claimed 90 breaches stemming from supply chain attacks from February to August – or about one every two days. IT providers accounted for a third of those breaches.
We have a few more bonus links for you below, with news on the MOVEit incident and a recap of the Change Healthcare incident and its impacts on the healthcare ecosystem. Hopefully, we've learned enough by now that we won't see anything like it again anytime soon… But this newsletter will be back next month. See you then!
Over a year later, a credit union has found that it was impacted by the MOVEit Transfer incident from May 2023. In related news, the SEC recently concluded its investigation and told Progress Software it does not intend to recommend an enforcement action against the company.
Texas Dow Employees Credit Union (TDECU) experienced a data breach in which the personal information of more than 500,000 members was leaked. The breach occurred when a third-party vendor used for transferring data, MOVEit, was compromised on May 31, 2023. This breach impacted more than 20 million individuals.
It seemed like an ordinary Wednesday afternoon, until it wasn’t. The outage was sudden. On February 21, billing systems at doctors offices and healthcare practices stopped working, and insurance claims stopped processing. The status page on Change Healthcare’s website was flooded with outage notifications affecting every part of its business, and later that day the company confirmed it was “experiencing a network interruption related to a cyber security issue.” Clearly something had gone very wrong.
It turns out that Change Healthcare invoked its security protocols and shut down its entire network to isolate intruders it found in its systems.